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Private queries allow a user Alice to learn an element of a database held by a provider Bob 
without revealing which element she was interested in, while limiting her information about the 
other elements. We propose to implement private queries based on a quantum key distribution 
protocol, with changes only in the classical post-processing of the key. This approach makes our 
scheme both easy to implement and loss-tolerant. While unconditionally secure private queries are 
known to be impossible, we argue that an interesting degree of security can be achieved, relying on 
fundamental physical principles instead of unverifiable security assumptions in order to protect both 
user and database. We think that there is scope for such practical private queries to become another 
remarkable application of quantum information in the footsteps of quantum key distribution. 

PACS numbers: 



I. INTRODUCTION 

As telecommunication gains steadily in importance, 
questions of security and privacy naturally arise. Indeed, 
private data is stored on a grand scale and has become a 
precious commodity. Unfortunately, as a matter of prin- 
ciple classical information theory is not able to secure 
privacy in telecommunication against an unlimited ad- 
versary. It was hence found all the more extraordinary 
that quantum key distribution (QKD) allovirs such "un- 
conditionally" private communication, provided that the 
two parties trust each other. However, the more general 
case of communication between distrustful parties, who 
not only wish to protect their common privacy against 
eavesdropping, but also their individual privacy against 
each other, is maybe of even greater interest. 

Private queries are an important problem of this type. 
Imagine that a user, Alice, wants to know an element of a 
database held by a database provider. Bob, but does not 
want him to know which element she is interested in. Bob 
in turn wants to limit the amount of information that she 
can gain about the database. In particular, he does not 
want to just hand over the whole database, which would 
trivially allow Alice to learn her bit of interest without 
giving any information on her choice away. It is not hard 
to imagine scenarios (e.g. in the financial world) where 
the capability of implementing such private queries would 
be useful. The information stored in the database may 
be both valuable and sensitive, such that Bob would like 
to sell it piece by piece, whereas the mere fact of being 
interested in an element of the database might already 
reveal something important about Alice (e.g. that she is 
thinking about buying a certain company). Of course if 
there was a cheap way of realizing the task, it would also 
be interesting for protecting privacy in online bargaining 
and web search, for example, as well as to construct other 



interesting cryptographic primitives from it [1]. 

The described task is also known as symmetrically pri- 
vate information retrieval and as 1 out of N oblivious 
transfer ^] . It has attracted much attention both in com- 
puter science 0, Q and in quantum information. Clas- 
sically, the problem seems like a logical contradiction. 
How could a database provider answer a question, which 
he is not supposed to know, without giving any addi- 
tional information? One might hope that quantum me- 
chanics could solve this dilemma. Several quantum pro- 
tocols were proposed, see for example Refs. @, @, none 
of which were found to offer complete protection for both 
sides. Indeed, it was subsequently proven in Ref. 0] that 
the described task can not be implemented ideally, not 
even using quantum physics. The essential assumption 
in the impossibility proof is that the protocol is perfectly 
concealing, i.e. that Bob has no information whatso- 
ever about which database element Alice has retrieved. 
Rephrased at the quantum level this is understood as 
the condition that the density matrix of Bob's subsys- 
tem must be completely independent of Alice's choice. 
Ref. shows that under this condition Alice can always 
implement an attack based on the Schmidt decomposi- 
tion which allows her to read the entire database. This 
argument is closely linked to the well-known impossibility 
proofs for quantum bit commitment [1, 0] . 

Recently, Giovannetti, Lloyd and Maccone [loj pointed 
out that very interesting degrees of privacy are achievable 
for protocols that are not perfectly concealing, because 
of the possibility to catch dishonest parties due to the 
errors they introduce, see also In the protocol of 

Ref. [lo| Alice encodes her question in a quantum state, 
which she sends to Bob. She also sends a decoy state, 
which gives her a chance to detect if Bob is cheating. 
The security relies on the impossibility to perfectly dis- 
criminate the non-orthogonal question and decoy states. 
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and on the changes Bob's measurement will introduce as 
a consequence. Unfortunately the protocol is very vul- 
nerable in realistic situations where there are significant 
transmission losses, such that Alice has to send the same 
question multiple times. If some of the losses are in fact 
due to Bob tapping the line, then he can learn Alice's 
question without being detected. 



II. CLAIM 

In this paper we present a new approach to the private 
query problem. Our protocol is explicitly not perfectly 
concealing in the above sense, so that the impossibility 
proof of Ref. [zl does not apply. We show that the fol- 
lowing statements hold for our protocol. 

(1) Database security is very good. Even for relevant 
multi-qubit joint measurements Alice's accessible in- 
formation is restricted to a well-defined small per- 
centage of the database elements. The concrete lim- 
its for different attacks are shown in the security 
discussion. Moreover the additional elements Alice 
learns are randomly distributed over the database 
and therefore of little use to her. In general, database 
security is ensured by the impossibility of perfectly 
distinguishing non-orthogonal quantum states. 

(2) User privacy is also very high. We study several nat- 
ural attacks and derive a simple limit on the infor- 
mation Bob can obtain. In general, we show that the 
no-signaling principle implies that every malicious ac- 
tion of Bob will introduce errors and can hence be 
detected by Alice - systematic cheating is impossible. 

The protocol relies on QKD with changes only in the 
post-processing and can hence profit from many of the 
advantages of this well understood and commercially 
available technology. In comparison to Ref. [13] it of- 
fers the advantage of practical feasibility, in particular 
loss-tolerance and scalability to large databases. 

Note that the incorporation of security assumptions 
such as the bounded storage model pJt] could make the 
protocol completely secure, under the condition that 
those assumptions are fulfilled. However, even in the 
absence of such assumptions, our protocol's basic secu- 
rity is guaranteed by fundamental physical principles, 
namely the impossibility of perfectly discriminating non- 
orthogonal quantum states and the impossibility of su- 
perluminal communication. 

It should be underlined that we do not propose an 
ideal cryptographic primitive, which would furthermore 
allow one to construct other ideal cryptographic prim- 
itives such as user identification, bit commitment and 
coin flipping T| , but a new practical and potentially very 
useful application of quantum communication. 



Our protocol is similar to the proposal of Bennett, 
Brassard, Crepeau and Skubiszewska [5|, which can be 
interpreted to rely on BB84 QKD [l^. It is well known 
that the proposal of Ref. [5] is susceptible to a quantum 
memory attack by the user, which corrupts database se- 
curity entirely. The crucial point is that la is perfectly 
concealing, hence Lo's impossibility proof [7| implies that 
the user can learn the entire database - in this case with 
the help of a quantum memory. We show that this type 
of attack can be forestalled by using the SARG04 QKD 
scheme |16| instead of BB84. Then user privacy is slightly 
weakened, but the quantum memory attack is no longer 
feasible. Moreover the errors a cheating provider intro- 
duces largely guarantee user privacy. 



III. APPROACH 

In order to better understand our approach it is very 
useful to compare it to QKD. In general QKD consists 
of a first phase, where a large number of quantum states 
are prepared, exchanged and measured, and then a sec- 
ond phase, where Alice and Bob extract a key from the 
quantum communication part with the help of an a pri- 
ori chosen coding and interpretation process. The key 
is then known to both Alice and Bob entirely and can 
be used to encrypt the actual message, which is sent via 
a classical channel. The quantum states and the post- 
processing procedure are chosen such that the key can 
not be eavesdropped on without introducing errors, thus 
protecting Alice's and Bob's common privacy. 

The basic idea of our protocol is to use QKD in com- 
bination with adequate post-processing to generate an 
A'^-bit string K-l" that will serve as an oblivious key 17 1 
for a database of N bits. For this purpose, K-^ must be 
distributed in such a way that (1) Bob knows the key 
entirely, (2) Alice knows only a few bits of - ideally 
exactly one (database security), and (3) Bob does not 
know which bits are known to Alice (user privacy). In 
order to use K-l" to encrypt the database. Bob adds key 
and database bit- wise with a relative shift chosen by Al- 
ice and sends her the encrypted database. The relative 
shift is needed in order to ensure that Alice's bit of inter- 
est is encoded with an element of K-f she knows, so that 
she can decipher the bit and thus receive the answer to 
her private query. 

Within our approach, the case of Alice knowing ex- 
actly one bit cannot be realized deterministically. So in 
general Alice will know a few bits of K-f , which means 
that database privacy is good but not perfect. As the 
number of Alice's elements is Poisson-distributed, there 
is also a small probability of Alice having no bit in the 
end. The protocol then needs to be repeated. This can 
be done without loss of privacy for either party : The cre- 
ated string K-f does not contain any information on the 
database, so database security is not touched, and like- 
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wise the shift (which maps Alice's known key element 
onto the database element she needs) is only communi- 
cated once a correct key has been established. Of course, 
Alice could claim to have obtained no element of 
with the hope of having more elements after a repetition. 
However, this strategy can be made ineffective by choos- 
ing the parameters of the protocol such as to make the 
case of Alice having no element very unlikely, cf. also 
section V. 

As already mentioned, the generation of K-f can be 
based on QKD techniques. Consider for instance 4-state- 
BB84-typc QKD. After Bob has sent the states (without 
further information) , Alice, choosing measurement bases 
at random, will measure half of the bits she receives in 
the correct basis - without yet knowing for which ones her 
choice was correct. When Bob subsequently announces 
the bases, we have the situation that (I) Bob knows the 
entire "raw key", (II) Alice knows half of the bits and 
(III) Bob can not know which ones Alice has measured 
correctly. Alice's limited information on the raw key can 
now be further diluted by adequate processing in order 
to generate the oblivious key , and this is indeed the 
way Ref. essentially works. However, if Alice has a 
quantum memory this protocol is no longer secure. She 
can then store the received states and postpone all mea- 
surements until after Bob's announcement. By doing so, 
she can learn entirely - there is hence actually no 
database security at all. 

Fortunately this attack can be largely forestalled rather 
easily if one uses a SARG-QKD scheme instead of BB84. 
SARG04 uses the same states as 4-state-BB84. The main 
difference lies in the attribution of bit values to the quan- 
tum states. Whereas in BB84 one state from each of the 
two bases codes for 0, the other one for 1, in SARG04 
it is the basis itself that codes for the bit value. I.e., if 
Bob sends a state in the "up-down" basis ^ this signifies 
a 0, and a state from the "left-right" basis -o- means 1. 
During the post-processing Bob does not announce which 
basis he has used for each qubit. Instead Bob announces 
the state he has sent plus one state from the other basis 
(in random order). Alice is thus faced with a state dis- 
crimination problem that can not be solved perfectly, i.e. 
unambiguously and detcrministically at the same time. 
This slight change has profound implications for SARG04 
QKD 18]. Here we show that it is also very useful for 
implementing private queries. A simple protocol based 
on this approach consists of the following steps. 

IV. PROTOCOL 

1. Bob sends a long random sequence of qubits (e.g. pho- 
tons) in states |t), \^), \i) and |^). States |t) and 
II) code for 0, |<— ) and |— >) correspond to bit value 1. 
For instance, to send a bit 1 Bob can prepare a qubit 
in the state |— >■). 
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FIG. 1: How to reduce Alice's information: her information 
on a sum string is lower than that on the initial strings. Ques- 
tion marks symbolize bits whose value is unknown to Alice. 

2. Alice measures each state in | or o basis at random. 
This alone does not allow her to infer the sent bit 
value. 

3. Alice announces in which instances she has success- 
fully detected the qubit; lost or not detected photons 
are disregarded. The possibility to discard bits does 
not allow Alice to cheat, because after step [H she still 
has no information whatsoever on the sent bit values, 
cf. step [5l As a consequence, the protocol is com- 
pletely loss-independent. 

4. For each qubit that Alice has successfully measured. 
Bob announces a pair of two states: the one that has 
actually been sent and one from the other basis, so 

{it),K)}, or {iH,it)}. If 

|— >) has been sent. Bob could announce for instance 
{It) , K)|. This is exactly as in the SARG04 QKD 
protocol [16[. 

5. Alice interprets her measurement results of step|4l De- 
pending on which basis she has chosen and which re- 
sult she has obtained she will be able to decipher the 
sent bit value or not. For instance, if |— ?►) has been sent 
and {It) , |— >)} was announced, Alice can rule out |t) 
only if she has measured in the ^ basis and obtained 
the result |J,). She can then conclude that the state 
was |— >) and the bit value is 1. Direct measurement 
as under step [5] will yield 1/4 of conclusive results and 
3/4 of inconclusive ones. Both conclusive and incon- 
clusive results are kept. Alice and Bob now share a 
string which is known entirely to Bob and in a quarter 
to Alice. 

6. The created string must be of length k x N (with k 
a security parameter). It is cut into k substrings of 
length N. These strings are added bitwise in order 
to reduce Alice information on the key to roughly one 
bit, cf. Fig. m 

7. If Alice is left with no known bit after step IHl the 
protocol has to be restarted. The probability for this 
to occur can be kept small. See also the discussion in 
the previous and following sections. 
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8. If has been established correctly, Alice will know at 
least one element of it. Suppose she knows the j*^ bit 
Kj and wants the i*'' bit of the database Xi. She then 
announces the number s = j — i in order to allow Bob 
to encode the database by bitwise adding K-f , shifted 
by s. So Bob announces N bits C„ = X„ ® K^^^ 
where Alice can read Ci — Xi (B Kj and thus obtain 
Xi. The shift will hence make sure that Alice's bit of 
interest is coded with a key element she knows so that 
the private query can be completed. 



V. DISCUSSION 

Steps 1 to 5 of the above protocol are completely iden- 
tical to SARG04 QKD with the only difference that every 
bit is kept, regardless if it is conclusive or not for Alice. 
SARG04 was initially conceived to make QKD more re- 
sistant to photon number splitting attacks when weak 
pulses are used instead of single photons for the sake of 
practical feasibility. In our case the use of SARG04 does 
not only provide us with the benefits of loss-tolerance, 
technological practicability and conceptual closeness to 
well- understood QKD, but it also prevents the quantum 
memory attack that destroyed the security of the pro- 
tocol of Ref. [H|. Even using a quantum memory Alice 
is always confronted with the problem of discriminating 
two non-orthogonal quantum states, and will hence al- 
ways have incomplete knowledge on the raw key. This 
lack of information is subsequently further amplified by 
steplH 

Note that following the " honest" way of measuring and 
interpreting her results Alice will also gain probabilistic 
information on non-conclusive bits. If Alice obtains no 
result it is with probability 2/3 because she has chosen 
the same basis for measurement as Bob has chosen for 
state preparation (which will never yield a conclusive re- 
sult). Considering the example of stepO Alice can obtain 
the result |— ?>) when measuring in o both if Bob sent |— >) 
(then with probability 1) and if Bob sent |t) (then with 
probability 1/2 only). So, although |— is not a conclu- 
sive result, Alice can infer that the sent state was |— >■) 
(bit 1) with probability 2/3 and |t) (bit 0) with proba- 
bility 1/3. This additional information can be diluted to 
a negligible level by the post-processing of step \E[ 

After creation of the raw key oi k x N bits, the string 
is divided into k substrings of length N. Following the 
protocol, after adding the substrings, Alice will on av- 
erage know n = N{j)'^ bits, where the number n fol- 
lows approximately a Poisson distribution. On the other 
hand, the probability Pq that she does not know any 
bits at all and that the protocol must be restarted, is 

Po = (l - (3) j ~ e"". For large iV, which is the 
most interesting case in practice, it is therefore possi- 
ble to ensure both n <ti N and small Pq by choosing an 



TABLE I: Example of possible choices of k for different 
database sizes A*'. We show the failure probability Pq and 
the expected number of elements n an honest Alice will ob- 
tain. 



A^ 


10^ 


5 X 10^ 


10^ 


5 X W 


10^ 


lO'^ 


k 


4 


5 


6 


7 


7 


9 


Po 


0.020 


0.008 


0.087 


0.047 


0.002 


0.022 


n 


3.91 


4.88 


2.44 


3.05 


6.10 


3.81 



appropriate value of k. For instance, for a database of 
A^ — 50000 elements = 7 is a choice providing Alice 
with n sa 3 elements of the final key on average whereas 
the probability of failure is only about 5%, see also Tab. 
m The case of many repetitions (which might allow Alice 
to wait until she obtains a large value of n by chance) 
is hence very unlikely. This is important for the proto- 
col's security. Since the states sent by Bob do not contain 
any information about the database, and since Alice only 
chooses and communicates the shift s to Bob once she 
knows at least one bit of the final key, a few repetitions 
will not compromise anybody's security. Note that even 
if Alice knows n > 1 bits of the oblivious key, she has to 
pick a single shift s, which means that in general she can 
only learn one chosen element of the database, since the 
other n — 1 bits known to her will be at random positions 
in the key and thus in the database. 

However, the fact that Alice normally obtains addi- 
tional, less interesting bits should not be seen only as a 
drawback of the protocol, as it also offers an interesting 
possibility to enhance her security: Alice can buy the 
extra bits in question publicly (as opposed to privately), 
in order to compare them with Bob's answers. As ex- 
plained in detail in the security section, a cheating Bob 
will always lose knowledge on . The errors he thus 
introduces will then be detectable for Alice. This way 
what seems to be a flaw in the protocol can be used to 
strengthen user privacy. 

VI. SECURITY 

We now turn to the question of which degree of privacy 
our protocol offers precisely. We study the most evident 
attacks and clarify the way in which two fundamental 
physical principles provide the basis for the protocol's 
security. While basic attacks are studied and the essential 
intuition is given, a complete security analysis remains 
work for the future. 



A. Database security 

Let us first discuss database security. In general one 
must assume that Alice disposes of a quantum mem- 
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FIG. 2: The upper bound on the success probability of the 
joint unambiguous state discrimination (USD) measurement 
on k qubits declines rapidly with k. 

ory and is hence not forced to measure directly as in 
step [21 Instead she can keep the photon and, once Bob 
has announced the state pair, apply the optimal unam- 
biguous state discrimination measurement [liL [20| that 
will correctly tell her which of the two announced states 
has actually been sent. The success probability of USD 
is, for the case of two equally likely states, bounded by 
1 — F{po,pi) where F{po,pi) is the fidelity between the 
two quantum states one seeks to discriminate. Here, Al- 
ice's measurement will hence only work with a success 
probability of 1 - |(t| ^)| = 1 - 1/V2 « 0.29, only 
slightly more than the 0.25 of the direct measurement. 
In the above example with TV — 50000 and k = 7 this 
will provide her with n — 9.3 elements on average - only 
a small gain compared to n = 3 and very little in rela- 
tion to iV = 50000 for such a complex attack. So even 
using a quantum memory, individual measurements will 
not substantially increase her information on . The 
reason for this is precisely the fact that our protocol is 
based on SARG04 rather than on BB84 coding. 

A more general attack is to store the received pho- 
tons in a quantum memory and to postpone all mea- 
surements until the very end of the protocol after step 
[51 so that she knows which k qubits contribute to an 
element of the final key. The individual bit values of 
the raw key are actually of no interest for her. So, in- 
stead of performing the optimal individual measurement 
on each of the k qubits constituting an element of K^, 
Alice should perform a joint measurement. An example 
for this is Helstrom's minimal error-probability measure- 
ment, i.e. the measurement that distinguishes two quan- 
tum states with the highest information gain [2ll [23 | . In 
the case of two equally likely quantum states po and pi 
the probability to guess the state at hand correctly is 

bounded by Pguess = + ^^{pq, Pi), where D{po,pi) 
is the trace distance. For a joint Helstrom measurement 
on a bit of one finds this probability to scale with 

the number k of added qubits as Pguess = 2 ^ — y/~k ' 

So the more substrings are added to generate the final 
key, the harder it is for her to guess the bit value, i.e. 



the parity of the k qubits. For example, for fc = 7 Alice 
will guess a key element correctly with 54.4% instead of 
50% for a random guess. Likewise, the success proba- 
bility of unambiguously discriminating the two fc-qubit 
mixed states corresponding to odd and even parity de- 
clines rapidly with the number of qubits k, see Fig. [21 
In conclusion, it is clear that the impossibility to perfectly 
distinguish non-orthogonal quantum states can effectively 
protect the database's security and prevent Alice from 
knowing a substantial part of it, even when she uses per- 
fect storage technology and realizes the theoretically op- 
timal joint measurements. We see that incorporating a 
S ARG04 state discrimination problem as vital part of the 
protocol, the Schmidt attack of Lo's impossibility proof 
can be averted. The price to pay is a protection of the 
user that is not total. We now turn to the question of 
user privacy. 



B. User privacy 

As we have discussed above, a not perfectly concealing 
protocol, i.e. a protocol where Bob can gain some infor- 
mation on Alice's choice, is the prerequisite to prevent 
her from being able to compromise database security en- 
tirely 0- For the given protocol it may not be obvious 
at first sight how Bob can access information on Alice's 
choice, in the absence of any classical or quantum com- 
munication from her to him. It turns out that he can 
indeed gather information on a bit's conclusiveness, and 
hence infer if that particular bit is more or less likely to 
be a key element Alice knows. 

The simplest attack for Bob is to send other states 
than he announces, for instance a state j/*) that is ex- 
actly intermediate between jf) and |-^), while announc- 
ing a pair {|t)J~^)}- Alice's probabilities to measure 
\l) or 1^) are largely reduced. Indeed, she will find a 
probability of only 14.64% to have such a conclusive re- 
sult. Likewise sending the state j^/) (orthogonal to \/^)) 
while announcing {|t) , |— ^)} will raise the probability to 
interpret the result as conclusive to 85.36%. Bob can 
thus bias the probability of conclusive results for Alice 
continuously between the above limits. However, every 
such attack will introduce errors, as Bob cannot predict 
her outcome with certainty. In the example above, Alice 
registering \\.) and |-(— ), i.e. both bit values, are equally 
likely events, and Bob's bit error rate will therefore be 
as high as 50%. This evident example shows that Bob 
can gain information on the conclusiveness of Alice's bits 
but will then lose information on the bit values she has 
recorded. 

The presented attack is closely related to an attack 
that uses entanglement. Bob prepares a state of two 

qubits {lt)A l-^o)_B + I~^)a where the first 

v2 

qubit is sent to Alice and the second is kept in Bob's reg- 
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ister (with {Rq \Ri)q = 0). Bob announces having sent 
It) or |— >•). Once AUce has successfully measured and ac- 
cepted her qubit, Bob can decide if he wants to measure 
honestly, i.e. recover the sent bit value, or gain some in- 
formation on the conclusiveness of Alice's measurement. 
In order to proceed honestly Bob measures his register in 
the basis {\Ro) ,\Ri)}, which tells him which of the two 
announced states has actually been sent He then 

knows which bit value Alice will record in case of a con- 
clusive outcome, but has gained no improved estimation 
of the likelihood for this to happen. In contrast, mea- 
suring in the {{\Ro) + \Ri))/V2, (|i?o) - \Ri))/V2} basis 
provides him with likelihood information on the conclu- 
siveness of a bit, but clearly yields no information at all 
on the sent bit value. 

This second measurement can also be seen from an- 
other angle. If Alice has obtained a conclusive re- 
sult (probability 1/4) Bob's register is in a state pc = 

(^^'^ I , if Alice measurement was non-conclusive 
1/2)' 

(probability 3/4) he has p„ = ^J^^g ^/f^ ' 

Pc 7^ Pn the protocol is not perfectly concealing. Us- 
ing the criteria of Refs. 1^ 20| one can show that these 
two density matrices cannot be discriminated unambigu- 
ously for the single-qubit case. The best chance to guess 
the state correctly is 85.36%, as for the previous attack. 
The second given measurement basis does indeed consti- 
tute Helstrom's minimal error probability measurement 
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22] for the conclusiveness of one of Alice's bits. As 
a matter of fact, one can show that, given an arbitrary 
mixed qubit state, the likelihood to measure a conclusive 
result will be confined by the very same bounds (85.36% 
and 14.64%). No qubit state can only yield conclusive 
results upon the above measurement, or only yield in- 
conclusive results. This individual attack is therefore 
optimal, yields information on the bit's conclusiveness, 
and completely erases the bit value information from 
Bob's register. This last point means that Bob will not 
know correctly - a cheatin g Bo b can then be caught 
when providing wrong answers 12| . In principle these re- 
sults can be generalized to joint measurements on several 
qubits, however, these complicated attacks are beyond 
the scope of this paper. Instead we will now clarify the 
conceptual reason why it is impossible for Bob to have 
both the correct bit value and conclusiveness informa- 
tion. 

Let us suppose that Bob can gain information on the 
conclusiveness of one of Alice's elements of the raw key, 
either by construction of the sent state, or by some mea- 
surement performed on his register at the end of the pro- 
tocol. Let us characterize this information by Pc, the 
probability with which Bob correctly guesses that Alice 
has a conclusive result. (Remember that this likelihood 
is physically bounded by 0.1464 < Pc < 0.8536 if a single 



qubit is sent.) Let us also assume that, either by con- 
struction of the state or by some second measurement. 
Bob can also guess the bit value b Alice has recorded (if 
her measurement was conclusive) and is correct about 
it with the probability pb- Recalling the way Alice in- 
terprets her measurement results in step [5] of the pro- 
tocol, it is clear that, if Bob correctly guesses that Al- 
ice's result was indeed conclusive and correctly guesses 
which bit value she has obtained, then he also correctly 
guesses which measurement basis she has used for this 
qubit in step [21 However, since there is no communica- 
tion whatsoever from Alice to Bob about her choice of 
basis, the no-signaling principle dictates that his proba- 
bility to guess her basis correctly has to be equal to 1/2. 
Otherwise the procedure would allow Alice to send sig- 
nals to Bob that are faster than the speed of light. This 
immediately implies the bound 

PcXpb< 1/2. 

The inequality arises because even for inconclusive results 
Bob has a chance to guess Alice's basis correctly. This 
simple upper bound illustrates the crucial point: When- 
ever Bob tries to alter the conclusiveness probability of 
certain bits in order to better judge which bits of are 
(un)known to Alice, he will necessarily lose information 
on the bit value Alice records, in order to comply with 
the no-signaling principle. This introduces errors in 
and hence also in the encrypted database, i.e. he will run 
the risk of giving wrong answers. 

This shows that our protocol is cheat-sensitive in the 
spirit of Refs. [13, In our scenario. Bob sells his 

database bit by bit. Systematic cheating and hence giv- 
ing wrong answers will ruin his reputation as a database 
provider. As we already mentioned above, one can now 
even make use of the fact that Alice normally obtains 
additional database elements. If she buys those elements 
from Bob in a regular, non-private way, she can use them 
to check Bob's honesty 2J|. By doing so, Alice has a pow- 
erful prompt privacy check at hand. One can thus turn 
what seems a flaw into an advantage, in order to make 
full use of the privacy, which, as we have seen, is guaran- 
teed by the impossibility of superluminal communication 
in quantum physics. 



VII. OUTLOOK & CONCLUSIONS 

The above discussion has shown that practically very 
interesting levels of privacy in database queries can 
be achieved for both sides. The security of the pre- 
sented protocol relies on fundamental physical principles 
(the impossibility to deterministically discriminate non- 
orthogonal states, and the impossibility of superluminal 
communication), rather than on assumptions on quan- 
tum storage limitations [14], mathematical complexity 
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or non-communication between severs in multi-server 
protocols 

We have already emphasized that the protocol is com- 
pletely loss-resistant. We believe that error correction is 
possible as well. This requires additional classical two- 
way communication and still needs to be elaborated in 
more detail. Moreover, it is clear that the protocol can 
be implemented with weak coherent pulses as well. The 
acceptable amount of loss then depends on the mean pho- 
ton number per pulse, in order to safeguard database se- 
curity. High mean photon numbers largely facilitate un- 
ambiguous state discrimination for Alice, if one assumes 
that she is in control of the transmission line. Finally, it 
is possible to improve database security by more sophis- 
ticated post-processing, e.g. by taking a couple of strings 
created in our probabilistic protocol (with Pq <g; 1) and 
allowing Alice to combine them, i.e. to freely choose rel- 
ative shifts to add them bitwise. Simulations show that 
she will be left with knowing exactly one bit of the final 
key with overwhelming probability. Both error correction 
and the described way of achieving tighter database secu- 
rity complicate the security analysis due to the necessary 
two-way communication. 

The proposed protocol can be realized with any ex- 
isting QKD system that is compatible with the SARG04 
protocol. Besides ensuring loss tolerance, this also makes 
it easy to scale up to large databases. We hope that our 
proposal will stimulate further work to clarify the open 
questions. Besides a more in-depth study of its secu- 
rity, these include the optimal classical procedures for 
oblivious key generation and error correction. We think 
that there is the potential for private queries to become a 
genuine application of quantum information technology 
in the footsteps of QKD. 
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